cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco AI Endpoint Analytics - Deployment Guide

3063
Views
5
Helpful
0
Comments

Cisco AI Endpoint Analytics – Deployment guide

This deployment guide is meant for Cisco AI Endpoint Analytics adoption for customers, partners and everyone focusing on Endpoint Visibility and to how achieve it with Endpoint Analytics. It has sections that discusses integration with ISE for policy enforcement and best practices to define segmentation policies for SDA.

This does not cover topic such as Authentication Authorization and Accounting or full SDA integration that is currently beyond the scope of this document.

Overview-Deployment guide -pic1.png

Dated: 3/29/2020

 

Overview

Visibility is the first step towards securing an endpoint. Key to endpoint visibility is the ability to successfully identify and classify different types of Endpoints that are IT and IOT devices.

Cisco AI Endpoint Analytics is a solution that detects and classifies endpoints/IOT devices into different labels such as (Endpoint Type, Hardware Model, Manufacturer, OS Type). This can be called as Multi-Factor Classification (MFC) or assigning multiple labels to endpoints. A big advantage in doing this to categorize endpoint by variety of ways that can be used in enforcing access policies from ISE.

AI Endpoint Analytics engine and the user interface runs on Cisco DNA Center on prem. It assigns labels to endpoints upon receiving telemetry from the network and other sources. Here is a diagram showing Multi-Factor Classification(MFC)

Overview-Deployment guide -MFC.png

The first version Endpoint Analytics uses three key sources of endpoint meta data.

  1. Using Deep Packet Inspection from Cat9k and/or Telemetry sensor
  2. ISE discovery mechanism and probe data
  3. Service NOW (Configuration Management Database)

Endpoint meta data collected from two primary sources(Cat9k/Telemetry Sensor and ISE) are fed into DNAC and Endpoint Analytics for assigning labels to IT and IOT devices as mentioned above. Here is a sample deployment picture with Endpoint Analytics that will give you an idea of components included.

Overview-Deployment guide -topology.png

AI Endpoint Analytics upon assigning labels sends the context over to ISE for authorization. ISE uses these labels to create custom profiles to be used in Authorization policies. These authorization policies are policy decision points to enforce network access across the enterprise.

Data Sources

Deep Packet Inspection from Cat9k/Cisco Traffic Telemetry Appliance:

Network Based Application Recognition(NBAR2), is an embedded technology built-in to switches (e.g.: Cat9k access switches) that can detect and analyzes Layer 7(Application layer) packet data from a variety of IT and IOT protocols(around 1500 protocols) along with specific network and transport layer information from associated endpoints.

These protocols include standard application protocols used in enterprise(e.g.: browser, email, chat, voice/video). For Enterprise IOT devices, to name a few NBAR2 supports Building Automation protocols(BACNET), IOT Messaging(MQTT etc.), mDNS (Multicast protocols) and other protocols. For Healthcare it supports DICOM, HL7 etc. used for imaging and electronic records storage and retrieval etc.

Further, Software Defined Application visibility Controller (SDAVC) agent collects endpoint information from the network using CDP/LLDP and SNMP.

NBAR2 can also be used for application visibility/QoS in Cisco DNA Center and is supported in variety of platforms(Cat9k access, Cisco Traffic Telemetry Appliance (TTA). In this document we will focus on use of NBAR2 towards Endpoint visibility.

Telemetry Sensor is nothing but Cisco TTA appliance running IOSXE. This is meant to replace Cat9k DPI functionality as explained above when using legacy or 3rd party switches that does not have NBAR2 embedded. This is used to collect network traffic using SPAN/Tap connections from the distribution switch.

The diagram below is a very simplified representation of the topology that has both Cat9k and Cisco Telemetry Traffic Appliance sending information to Cisco AI Endpoint Analytics.

Overview-Deployment guide -NBAR.png

ISE Discovery Mechanism and probe data:

Identity Services Engine is a software appliance used for visibility and profiling IT assets and Network Access control. It collects endpoint meta data from IT systems using traditional protocols such as RADIUS, DHCP, SNMP etc. to detect IT assets in an enterprise. ISE probes such as Active Directory, Mobile Device Manager, Anyconnect(ACIDEX extensions) provides additional value to the asset information gathered by Endpoint Analytics.

Service NOW (Configuration Management Data Base – CMDB)

Service NOW is a configuration management database that is a repository of asset information in an enterprise. Endpoint Analytics will have the capability to only receive asset information from Service NOW and in future will provide bi-directional support. Endpoint Asset information from Service Now can be used by Endpoint Analytics to profile an endpoint.

Deployment Types

AI Endpoint Analytics can be deployed in the following ways and their combinations.

Endpoint Analytics - deployment types.JPG

Here is an example of Wired network topology with Cat9k Access switches.Endpoint Analytics - wired.JPG

Here is the same topology using Cisco TTA (Telemetry Sensor) via legacy switches/non-Cisco switches

Endpoint Analytics - TTA.JPG.png

Endpoint Analytics Solution Requirements

  • DNA Controller (2.1.2.x)
  • Policy and Access: ISE 2.4 P11 or ISE 2.6 P5 or ISE 2.7 P1 or higher
  • Cat 9200/Cat 9300/9400 (IOSXE 17.3.1)
  • Cisco Traffic Telemetry Appliance (IOSXE 17.3.1)

The AI Endpoint Analytics deployment guide documentation is not an install guide for DNAC. For full installation of DNAC please check

https://www.cisco.com/c/en/us/support/cloud-systems-management/dna-center/products-installation-guides-list.html

  1. When DNAC is installed and connected to the network, you will see a login message displayed.
Welcome to the Maglev Appliance

Log in with the maglev user from the CIMC console or connect using an SSH session to the host IP address as assigned during the installation and destination port 2222.

maglev-master-1 login: maglev
Password:
[Type in Cisco DNA Center CLI password assigned during installation]
  1. Login to the DNAC UI and go to left top of the screen, click on ?, click About and from the window, click packages to open. You will see the key packages listed as in the screenshot below.

Endpoint Analytics - packages.png

  1. Go to Menu > System > Software Updates > Installed Apps page and check that all 3 key applications that installed “AI Endpoint Analytics”, “AI Network Analytics” and “Application Visibility Services” installed.

Endpoint Analytics - installed apps.png

 

Verify Service checks post installation

  • From DNAC UI, Go to System > System 360. Under Cluster:Hosts, click on the # services.

  • Find Kairos agent (ai), collector-ise (ise), endpoint analytics(eps), SDAVC Server (avc). The status of those service should be ‘UP’. If you hover on the information icon near’UP’ you will see the service status and version number. Make note of the versions.

(Optionally) If you find the services not running.

Login to the DNAC CLI using SSH.

  • Execute the following commands to verify if the package is deployment and service is running.

The versions should be as in the “About” section in the UI discussed above and the status should show deployed.

$ sudo maglev package status
[administration] username for 'kong-frontend.maglev-system.svc.cluster.local': admin
[administration] password for 'admin':
maglev-1 [main - https://kong-frontend.maglev-system.svc.cluster.local:443]
NAME DISPLAY_NAME DEPLOYED AVAILABLE STATUS PROGRESS
---------------------------------------------------------------------------------------------------------------------------------------
access-control-application Access Control Application 2.1.260.62555 - DEPLOYED
ai-network-analytics AI Network Analytics 2.4.15.0 - DEPLOYED
app-hosting Application Hosting - 1.4.244.200727 NOT_DEPLOYED
application-policy Application Policy - 2.1.260.170177 NOT_DEPLOYED
application-registry Application Registry 2.1.260.170177 - DEPLOYED
application-visibility-service Application Visibility Service 2.1.260.170177 - DEPLOYED
assurance - Base 2.1.2.273 - DEPLOYED
….
….
endpoint-analytics AI Endpoint Analytics 1.2.1.320 - DEPLOYED
group-based-policy-analytics Group-Based Policy Analytics 1.0.1.158 - DEPLOYED
….

ssa Stealthwatch Security Analytics 2.1.260.1095096 - DEPLOYED
system 1.5.208 - DEPLOYED
system-commons System Commons 2.1.260.62555 - DEPLOYED
umbrella Cisco Umbrella - 2.1.260.592206 NOT_DEPLOYED
wide-area-bonjour Wide Area Bonjour - 2.4.260.12079 NOT_DEPLOYED
[Mon Oct 12 21:04:36 UTC] maglev@10.1.100.110 (maglev-master-10-1-100-110) ~
$ ^C

 

You can use other commands to check the appstack (magctl appstack status), service (magctl service display) for troubleshooting.

Verify Logging

Verify the logs from Settings >System 360. Click on Services and endpoint-analytics

Endpoint Analytics - Logs1.png

To follow/tail the current log of any service, execute the following command in the CLI

magctl service logs –r -f <service-name>

ISE setup

This guide assumes that Cisco ISE is already in production /lab and not already integrated with any Cisco DNA Center instance.

Endpoint Analytics service requires ISE to be upgraded to one of the supported versions / patch levels. This a pre-requisite for DNAC integration with ISE

  • 2.4 Patch 11+
  • 2.6 Patch 5+
  • 2.7 Patch 1+ and ISE 3.0+

ISE setup should have been configured for authentication, authorization for 802.1x/MacAuthBypass.

ISE Profiling configuration

First and foremost, make sure that the “Profiling” service is enabled in ISE and network devices are configured to send probes to ISE. Refer to the following document for further details: ISE Profiling Design Guide

  • Enable Probe Data Publisher on ISE.

  • Login to ISE GUI as admin user.
  • In ISE admin portal, navigate to Administration > System > Deployment. Go to Node, Select the ISE Node, click Edit Node option. Go the Profiling Configuration tab and select pxGrid probe. This is used to gather incoming profiling labels from Endpoint Analytics service in Cisco DNA Center.

      Endpoint Analytics - pxgrid-service.png

  • Go to Work Center -> Profiler -> Settings and check the Enable Probe Data Publisher checkbox entry with default as disabled. Save the changes. This is needed to ensure ISE publishes endpoint data.
Endpoint Analytics - probe data publisher.jpg

A screenshot of a cell phone Description automatically generated

ISE and DNAC integration

For ISE integration to complete, please make sure DNAC can use ISE Fully Qualified Domain Name (please update DNS host/pointer records for ISE for this to function) while adding ISE as AAA server. This needs DNS to be configured in the environment. Adding ISE server, creates a pxGrid certificate in ISE that has DNAC MAC address in the Subject Alternate Name(SAN).

Use the following documentation for DNAC to ISE integration

Turn on ISE pxGrid service, and pxGrid probe is turned on.

  • Go to Administration > System: Deployment > Edit Node, select PxGrid service.
  • Go to Profiler Configuration tab and enable PxGrid probe
  • From Administration > Settings > ERS Setting, enable ERS

Make sure ISE IP/FQDN are in the certificate and is DNS resolvable. Add ISE in DNAC from Settings, Menu > Settings > Policy Servers

Endpoint Analytics - In progress.png

You would see the following in ISE UI, when you go to Administration > pxGrid Services. Notice that the “dnac” has new publications “endpoint asset”. This is meant to send the classifications back to ISE.

Approve the “DNAC” pxGrid clients if they are Pending from the “All Client’s” tab.

Endpoint Analytics - DNAC topic.png

Status of ISE will be ACTIVE in DNAC after you approve the client.

Endpoint Analytics - Active.PNG

Provisioning of Network Device ( Cat9k / Cisco Traffic Telemetry Appliance)

The network device(s) need to be managed and SD-AVC configuration provisioned by the Cisco DNA Center Appliance.

Make sure to back up your network device configuration before provisioning.

  • Turn on snmp-server community public RO on cat 9k
  • vty settings to support all transport

Before you configure SDAVC make sure you turn on AI Cloud so that the probe data is passed to ML for learning.

Connect to Machine Learning(ML)/AI Cloud Services

All connections to the cloud are outbound on TCP/443; no inbound connections (our Cloud will not be initiating TCP flows towards Cisco DNA Center).

Fully Qualified Domain Name (FQDN) to allow/whitelist in the HTTPS proxy and/or firewall is:

  • api.euc1.prod.kairos.ciscolabs.com (API Endpoint)

Cisco DNA Center must also be able to perform DNS lookups for the cloud server addresses.

Connections to our cloud servers may also go through a proxy (explicit or transparent) if required. The proxy server setting, if any, is inherited from Cisco DNA Center.

AI Cloud registration

For Machine Learning(ML) to be enabled, DNAC should be tethered to the AI cloud. This needs cloud communication that requires cloud registration.

Once the steps above are completed, go to the Cisco DNA Center appliance web UI to complete the AI Cloud registration:

  • System > Settings > External Services > Cisco AI Analytics

    Endpoint Analytics - AI analytics.png

  • Click on Configure and enable Endpoint Smart Grouping and AI spoof detection option.

  •  

    Endpoint Smart Grouping uses AI/ML cloud  to cluster unknown endpoint to help admins label the endpoint. This is very useful to reduce the net unknowns in the network.

     

    AI spoof detection is an option that helps Cisco gather netflow information from your network(when enabled) and helps in modeling the endpoint.

     

Choose the right region based on your location. The cloud connection verification is done and you will see a green checkbox when the connection is successfull.

 

Note: If the connection is unsuccessfull, check your proxy settings in DNAC by going to System > Settings > System   Configuration > Proxy config

 

Endpoint Analytics - AI analytics2.png

  • Mark the checkbox to accept the Cisco Universal Cloud Agreement terms and click on “Enable”:

Endpoint Analytics - AI analytics2-cloudagreement.png

  

Once the registration is completed a pop-up message will show up:

Endpoint Analytics - AI analytics2-success.png

 

Enabling DNAC as Netflow Collector (needed for ML data collection)

In DNAC, Click Menu > Design > Network Settings and enable telemetry for DNAC to collect netflow. Enable DNAC as collection server if the network devices sends the flows to DNAC else use the option to add a different netflow collection server.

Endpoint Analytics - Enabling Netflow.png

Enabling netflow on network devices (needed for ML data collection).

This is supported in Cat9k access switches. This is used for ML to collect data for modeling.

Go to Menu > Provision > Inventory > Select the site, the switch.

Click Actions dropdown > Telemetry > select Enable Application Telemetry. This enables netflow on all the ports. If you want to selectively do it only on certain ports use the following CLI commands. You can also add descriptions to the switchports use key words ‘lan’, that will push the configuration only to those ports.

 

Manually configured netflow on the device

Interface GigabitEthernet1/0/13. --- access ports
ip flow monitor fnf-avc-mon input
ip flow monitor fnf-avc-mon output
flow exporter DNAC
destination 10.62.140.77  DNAC IP
transport udp 6007
option interface-table timeout 10
option vrf-table timeout 10
option sampler-table
option application-table timeout 10
option application-attributes timeout 10
flow monitor fnf-avc-mon
exporter DNAC
cache timeout inactive 10
cache timeout active 60
record fnf-avc-ipv4
flow record fnf-avc-ipv4
match ipv4 version
match ipv4 protocol
match application name
match connection client ipv4 address
match connection server ipv4 address
match connection server transport port
match flow observation point
collect flow direction
collect connection initiator
collect connection new-connections
collect connection client counter packets long
collect connection client counter bytes network long
collect connection server counter packets long
collect connection server counter bytes network long
collect timestamp absolute first
collect timestamp absolute last

Please see Appendix-2 at the end of the document for a complete check list of items that needs to be configured and verified.

SD-AVC(Software Defined Application Visibility Control) setup

SD-AVC on supported IOS-XE platforms provides the telemetry to provide high fidelity classification of endpoints.

SD-AVC can be deployed with the following network devices:

  • Cisco Catalyst 9200/9300/9400
  • Telemetry Boxes: Cisco Traffic Telemetry Appliance ( IOSXE version: IOS-XE 17.3.1). These are used as Telemetry boxes to capture SPAN traffic in the aggregation layer if your network has legacy Cisco network devices or third party.

Catalyst 9200/9300/9400

IOS-XE image installation/upgrade

Customers using Cat9k and SD-AVC functionality to gather telemetry from the endpoints should upgrade the switches to IOS-XE-17.3.1 version. This should be in advance before deploying and integration of DNAC/Endpoint Analytics service.

Upgrade steps

  • Follow the instructions below to upgrade the switch:

Upgrading the Switch Software

  • Once device is rebooted, check show version output is showing DNA Advantage license.
#sh version
Technology Package License Information:
-----------------------------------------------------------------
Technology-package
Current Type Next reboot
------------------------------------------------------------------
network-advantage Smart License    network-advantage
dna-advantage Subscription dna-advantage

The switch should be configured for 802.1x / MacAuthBypass. MacAuthBypass allows ISE to authenticate using the MAC address of the IOT devices but will allow or deny access based on authorization. Profiling is used to identify and classify the IOT device that will be reauthorized to provide the right level of access.

Enable CBAR ( Controller Based Application Recognition)

Following steps describes steps to add a network device to DNAC, provision the configuration and enable the CBAR.

  1. Follow the instructions below to Discover and add your network device(s) to the Cisco DNA Center Inventory:
    1. Cisco DNA Center – Discover your Network
  2. Go to Settings -> Device Controllability and check its Enabled
  3. Go to Provision -> Devices -> Inventory and add the device under a site.
    1. Provide the CLI and SNMP credentials needed to connect and go to enable mode. Wait till device is added successfully.
  4. Go to Provision -> Services -> Application Visibility and go to bottom of page to see device details. Endpoint Analytics - enable AVC.png
  5. Select device and Enable CBAR, wait for deployment to be completed. In certain cases, when the certificate is not installed corrected while provisioning or when the
  6. Connect to switch and check SD-AVC status “CONNECTED”

Cat9k-DNAC-DCS#sh avc sd-service info summary
Status: CONNECTED

 

If Endpoint Analytics and DNAC does not get SD-AVC data, it could be a provisioning error. If the network device was managed by another DNAC server, then you need to clean up the certificate from the switch and add it again.

  1. Remove the Cat9k from DNAC.
  2. Cleanup the DNAC trustpoints in switch using 'no crypto pki trustpoint DNAC-CA' command.
  3. Cleanup SD-AVC configuration on switch using 'no avc sd-service' command.
  4. Add the Cat9K to the DNAC and check its managed.
  5. Enable Application visibility and check it shows Enabled.
  6. Connect to switch and run following command to check it shows Connected for SD-AVC.

Cat9k-DNAC-DCS#sh avc sd-service info summary
Status: CONNECTED

Cisco Traffic Telemetry Appliance

This is an appliance from Cisco that does Deep packet inspection where you have legacy and non-Cisco network devices. This requires Layer 2 traffic to be sent to the appliance for NBAR and Deep packet Inspection.( Appliance has the PID for ordering: DN-APL-TTA-M.)

Physical connections

If using Telemetry box, this need to be connected to the distribution layer via 1 SPAN port( L2 Traffic, Discovery) for a single distribution switch.

Cisco Traffic Telemetry Appliance Connections

Below you can find information on ports and connections used in Cisco Traffic Telemetry Appliance(Cisco TTA). The blue cable in the chassis picture was connected to GE1 when the picture was taken. This need to be connected to GE0 as shown in the connection diagram below).

Endpoint Analytics - TTA.PNG

Gi5 is for Management, Gi0 is backup. Interface Gi0/0/1-4 and Te0/0/0-1 is used for SPAN on Cisco TTA.

If you have multiple distribution you can use both the 10G or four 1G ports for mirroring your traffic via SPAN and

send endpoint traffic from different VLANs.

 

Note: Cisco TTA supports up to 40,000 endpoints in an appliance.

Cisco Traffic Telemetry Appliance pre-configuration

Allow endpoint’s VLAN’s in the SPAN or remote SPAN from your distribution switch. Note that VLAN 1 is used to send discovery(CDP, LLDP) traffic. From your aggregation switch enable SPAN using following commands. If your IOT endpoints are in VLAN 10, 20, 30 configure the following. The example below shows gigabit Ethernet port. Same configuration applies to Ten Gig ports as well. You can use VLANs or Interfaces as source.

switch(config)#monitor session 1 source vlan 1, 10 , 20 , 30 both

switch(config)#monitor session 1 destination interface gigabitEthernet 1/0/x

To verify:

switch#do show run | inc monitor
monitoring
monitor session 1 source vlan 10 , 20 , 30
monitor session 1 destination interface Gi1/0/x

On the Cisco TTA, Gi0/0/5 is used for management, to send Telemetry data to DNAC.

Here are the commands you need to execute on the appliance before adding to the DNAC inventory.

(config)#hostname Cisco-TTA
Cisco-TTA(config)#enable password <password string>
Cisco-TTA(config)#aaa new-model
Cisco-TTA(config)#aaa authentication login default local
Cisco-TTA(config)#username admin privilege 15 password 0 cisco
Cisco-TTA(config)#snmp-server community <string> RO
Cisco-TTA(config)#snmp-server community <string> RW
Cisco-TTA(config)#int gi0/0/5
Cisco-TTA(config)#description ****Management interface******
Cisco-TTA(config)#ip address <IP address> <Subnet Mask>
Cisco-TTA(config)#cdp enable
Cisco-TTA(config)#end
Cisco-TTA# conf t
Cisco-TTA(config)#ip nbar classification tunneled-traffic capwap
Building configuration….

 

Adding Telemetry Box to DNAC inventory

Cisco TTA can be managed from DNAC. Currently you cannot change configuration on the appliance but check the status of the appliance, configuration, ports etc.

Go to Menu, Provision -> Devices -> Inventory and add the device under a site. If you don’t have a site, create one by going Design > Network Hierarchy menu.

  1. Provide the username/password(CLI) and SNMP community needed to connect and password enable mode. Wait till device is added successfully.
  2. Check the Device Name, Family (Network management), Reachability - Reachable, Manageable, Device Role - Distribution. Device will be Non-Compliant, once it is fully provisioned the “Non-compliant” status will change.

Note: The serial number should be updated, Device Series is Cisco DNAC Traffic Telemetry Appliances.

Endpoint Analytics - TTA-DNAC.png

If you double click the Device Name entry for e.g: Entourage-TTA, it opens a screen that let you see overall appliance status.

Endpoint Analytics - TTA-DNAC2.png

Note: For Endpoints to be visibility is Endpoint Analytics, the network device connected to the Endpoint should be added in the DNAC inventory. This requirement is being addressed in the future DNAC releases/patches. Endpoints will not be visible in EA without this step.

Enable CBAR (Controller Based Application Recognition)

Go to Menu, Provision > Application visibility, if this is the first time you are in application visibility you have to go through a wizard shown below. Select the device to enable CBAR and proceed to next step. If not, select the device from the list and click ‘Enable CBAR’ button.

Once CBAR is enabled, the deployment status will show completed.

Endpoint Analytics - enable CBAR.png

You can verify if AVC(Application Visibility Control) service is enabled in the box, by logging into the Cisco Traffic Telemetry Appliance and executing following CLI command.

Cisco-TTA#sh avc sd-service info summary
Status: CONNECTED
Device ID: Cisco-TTA
Device segment name: AppRecognition
Device address: 10.1.100.90
Device OS version: 17.03.01
Device type: DN-APL-TTA-M
Active controller:
Type : Primary
IP : 10.1.100.24
Status: Connected
Version : 4.0.0
Last connection: *02:26:00.000 UTC Sat Sep 5 2020

Connect to Network Based Application Recognition(NBAR) cloud

Both Cat9k and Telemetry box collects endpoint metadata using Deep Packet Inspection of packet flows. This is further sent to NBAR cloud for analysis and for detecting unknown protocol signatures. To allow this to happen, DNAC appliance need to be tethered to the cloud.

  • From DNAC UI, go to Provisioning > Services > All Services > Application Visibility for this. Click Configure under NBAR Cloud and it opens a panel. Enable the service.
  • If you have Client ID, Client Secret and Organization Name(Please give a unique name depending on the organization and use). Make sure the region is USA and save it.

Note: You can get this credential by clicking on “Cisco API Console” from the panel that opens up a portal. Login with you CCO id, create a new app, select the options corresponding to NBAR cloud and complete the form. At the end of it you will get a Client ID and Secret.

Endpoint Analytics - NBAR cloud.png

Start endpoint data collection from Cisco TTA

Login to the Cisco TTA appliance and from the CLI go to the interface connected to SPAN port of your distribution. Do a “no shut”, on the Gig/Ten Gig interface from the CLI.

Profiling using AI Endpoint Analytics and ISE integration

Go to Endpoint Analytics application as mentioned below to start the UI. You have to open the left panel by clicking the icon to the left of DNA Center from the hamburger menu

From DNAC UI: Go to Policy > AI Endpoint Analytics to start the UI.

Endpoint Analytics - EA UI.png

You will see the “Total Endpoints” on the left and “AI Proposals” on the right.

Total Endpoints will show endpoints that are Unknown (not profiled), endpoints partially profiled ( Missing Profiles), and endpoints that are fully profiled.

It takes a while for ML grouping to show enough clusters, give it a few hours. You will see the following screen, with Active Points (Fully Classified, and labels for missing classification).

You will see the AI proposals getting populated to the right side of the screen.

Endpoint Analytics - overview.png

When you click on ‘Endpoint Inventory’ tab on top of the screen above, you can see a list of Endpoints in the inventory. ‘Profiling Rules’ will give you list of rules used for profiling including Custom rules, AI Rules you create.

To look at Endpoint details. Click on the MAC address under ‘Endpoint inventory’ tab. A UI side panel opens up from the right. It shows list of protocols and attributes collected. You can also see the type ‘IOTAsset’ attributes that are populated by Endpoint Analytics. These attribute/values will be sent to ISE. Do not close this browser.

Endpoint Analytics - inventory.png

Adding Custom Profiling policy in ISE

Warning: When enabled, this will change the profile of all the endpoints that matches causing massive reprofiling in ISE deployment. Avoid doing this in a production ISE system. Create custom policy in ISE with care per device and/or use Network Device Groups as outlined below.

Login to ISE UI on a different browser tab.

 

  1. Go to Context visibility > Endpoint Classification view. You will see a list of endpoints in the bottom.
  2. Click the right top corner on the <gear icon> . It opens the list of columns that can be added in the view. Check the Total Certainty Factor option. This the total weight of the Endpoint profile on ISE.

Endpoint Analytics - ISE custom profiling.png

 

Make note of a few endpoints that needs to be classified by Endpoint Analytics along with ’Total Certainty Factor’ as shown in example below. Let us focus on one endpoint with MAC address “58:0A:20:FA:4F:84”. The total certainty factor is 285.

Endpoint Analytics - ISE custom profiling -TCF.png

  1. Click on the MAC address to open Endpoint details.
  2. Go to Attributes tab and locate the IOT attributes associated with that Endpoint as in the screenshot below.
Endpoint Analytics - ISE endpoint attributes.png

Here is a list as in the table below that will match what you saw in Endpoint Analytics UI screen under “IOTAsset”. Also make note of the “Calling station ID”.

Calling-Station-ID 58-0A-20-FA-4F-64
assetDeviceType IP Phone
assetHwRevision Cisco IP Phone 8945^^Cisco-IP-Phone^^Cisco-Device
assetIpAddress 172.16.103.203
assetMacAddress 58:0A:20:FA:4F:64
assetSwRevision Cisco IP Phone
assetVendor Cisco Systems, Inc.
  1. From ISE UI, go to Workcenter > Profiling > Profiling policies. Add a new custom profiling policy. Use “IP_Phone_FromEA” as the name of the policy.

Endpoint Analytics - ISE profiling policy.png

  1. Before doing any changes “uncheck” the policy enabled checkbox from the list of options. In the bottom, from Rules, add a new rule below by clicking <gear icon> drop down to the right of screen.

Endpoint Analytics - ISE profiling condition.png

  1. Once you create a new rule, click on the + in the condition box( Select_Attribute…). Click on create a new condition button. Then Select the attribute as below. Choose “IOTAsset” folder and for e.g.: assetDeviceType attribute. In the center box choose the operator “CONTAINS”.

Endpoint Analytics - ISE profiling condition -add.png

  1. This creates a condition and once you select the attribute and the operator, in the third box you must type in the value for the chosen attribute. You can get this from DNAC >AI Endpoint Analytics UI browser tab and capturing the value of attributes under IOTAsset and paste it here.
  2. Add more conditions based on “assetVendor”, “assetHwRevision” and “assetDeviceType” attributes etc.

Endpoint Analytics - ISE profiling policy -final.png

Note: Last but most importantly add a condition with “AssetMACAddress” and use that. If you do not use this, the profile will match all endpoints based on the conditions added. It is very important to include “AssetMACAddress”.

If you are running in a “production ISE” environment you have to add all the conditions, most importantly the condition to check the MAC address before enabling this. You can also add “Calling-station-ID” which is a RADIUS attribute and use MAC address for the value.

Finally enable, two key things are “Minimum certainty factor” on the top and “Policy enabled” option before saving the policy.

The minimum certainty factor of a custom profiling policy we just created is the aggregation of certainty factor of the conditions below.

Importantly the Minimum certainty factor has to be greater than the Total Certainty Factor we saw above for the endpoint in ISE (Context Visibility > Endpoint Classification).

In our case let us make it 300 which is greater than 285. If you are unsure you can have a number like 500 or 1000.

Endpoint Analytics - ISE profiling policy -final-with-CF.png

Last step is to create authorization policy and add the custom profile created above.

Before that, you need to consider the level of access you need for different type of devices before and after profiling. Here are some best practices.

Policy and Segmentation tips and best practices

Here are the guidelines on security policy for IOT devices, while creating authorization policies pre and post authentication and profiling.

Designing Security policies:

While designing security policies, for NBAR to do Deep Packet Inspection(DPI), remember that it needs to see the application traffic to profile endpoints correctly. So, default ACL should allow application traffic before authentication and after authentication. Here are some recommendations for different type of endpoints.

If you start with limited access or closed mode, use MAC allowed list (or) Register the devices in the Endpoint Analytics UI that creates labels, use these attributes to create custom profile policy in ISE. You can also create Endpoint ID Groups in Cisco ISE and use it for MAC allowed list. Idea is to give more privileges as you know more context. Having that said, there are two types of devices, Critical Infrastructure/Medical IOT devices and IT managed device. Here are few best practices for these.

Critical infrastructure/Medical IOT devices:

Medical IOT should be in its own VN. You can use SGT’s to allow/prevent access between Medical IOT device once it is profiled.

Medical IOT devices may need continuous access for critical patient care. Even if the other Edge switches are down you need continuous access to its resources with fail open. You can add more access restrictions after profiling as needed after testing and observation(monitor mode). Access restrictions should be based on the type of Medical IOT device.

Example 1: MRI machine may need access to PACs server or a Gateway. MRI machine does not need internet access or to other MRI machines. A PAC server should allow access from a Gateway/MRI machine and Doctor’s workstation.

PACs(Picture Archiving and Communications system) is used for image storage and retrieval and use protocols such as DICOM and HL7 to communicate to outside world.

If in doubt, err towards more access not less access when dealing with Critical IOT for infrastructure or Medical IOT for patient care. Availability is very critical for Medical IOT devices.

IT devices:

For IT devices, it can be part of Campus VN and you can use SGT’s to control access between each other. The same approach mentioned above holds good. Alternatively, you can provide limited access if we know the level of access and applications used by IT. For example: printers, scanners, employee mobile devices or BYOD(Bring Your Own Device). Typically, access to DHCP, DNS, AD, print servers and applications are necessary for continuous access to services can be allowed before authentication. More access can be provided at the end of profiling based on SGT(Scalable Group Tags).

E.g.: Printers may need access to Print server and may be to a specific website to download drivers. BYOD may not need access to internal resources.

If you are working with Enterprise IOT devices(Roku, Apple TV etc) that works based multicast or other applications, remember to open those ports and protocols for NBAR to understand the application and identify the endpoints as default access before authentication.

Based on the role, location, and context of the device, you can provide granular access to the device.

Finally, use the ACL and/or SGT in combination with VN in Authorization policy to provide the right level of access.

Creating Authorization policy in ISE with Custom Profiles

Final step is to use this Profiling policy in Authorization policy to provide the right level of access.

  1. From ISE UI, go to Administration > Network Resources > Network Device Groups. Create a new Network Devices Group with parent “All Device Types” for the test network device you are adding.
  2. From Administration > Network Resources > Network Devices, add a new network device with IP/Subnet mask, check the RADIUS settings. Make sure the shared secret is the same in ISE and Network device. Select the Network Device Group just created from the Device Type drop down.
  3. Go to Work Centers > Network Access > Policy Elements > Results. You will see options in the left panel for Authorization profile. Create a new Authorization profile with VLAN/Downloadable ACL or Scalable Group Tags.

Note: There are default Authorization profiles already available in ISE. When using default Authorization profile, open it to make sure you assign the right ACL in the Authorization profile. The assignment of VLAN/ACL or SGT can be done under “Common Tasks” inside an Authorization profile.

When assigning SGT, choose the name of the SGT that opens up another drop down to choose the corresponding Virtual Network for SDA deployments. For non-SDA deployments leave this empty.

To create a new Downloadable ACL you can see the corresponding option on the left panel of the screen under Work Centers > Network Access > Policy Elements > Results. Once you create Downloadable ACL, add it to the Authorization profile you created.

  1. Go to WorkCenter > Profiling > Policy Sets

Now you need to add a new policy set by clicking ⊕. Type in the name of the policy set. Add a condition by clicking + that opens a Condition Studio, select DEVICE from the Dictionary and Device Type as attribute. Select the new Network Device Group we created above, from the drop down.

  1. Click on the right arrow > (to the right of the Policy set entry) to open the policy set. Click on the authorization policy, to open it and you will see policies already available out of box. You can create new authorization policies on the top to get processed first.
  2. Following configuration steps is needed to map the endpoint profile policy to an authorization policy.
  • Click on ⊕ to add a new authorization policy.
  • Highlight the new rule name and type in a new rule name, e.g.: ‘EA IP Phone’
  • Click + under conditions, this opens a Condition studio (close the help screen if one pops up).
  • In the Editor window, click to add an attribute (close the help screen if one pops up), choose Endpoints Dictionary from Dictionary drop down. Select EndPointPolicy attribute.
  • In the ‘Choose from list or type’ box, choose the Profiling policy you created above for the IP Phone as the value (IP_Phone_FromEA). Click Use.
  • This brings you back to the Authorization policy screen.
  • For the Authorization policy you created, under the Results > Profiles column. Click on select from list and choose a “Cisco_IP_Phone”.
  • Scroll down and Save it.
  1. Add the Scalable Group Tag in the Results of the Authorization policy. Save it.

Troubleshooting tips

  1. Check if pxGrid is turned on

Endpoint Analytics - ISE troubleshooting tips.png

  1. Check if the following setup is done to get the PxGrid on1k

Endpoint Analytics - ISE troubleshooting pxgrid tips.png

Appendix 1: Cisco Traffic Telemetry Appliance bootstrapping

  1. Configure the Telemetry Box authentication. (Use this for pre-configuring the box for on-boarding)
Hostname telemetry-box
enable password lab
aaa new-model
aaa authentication login default local
username admin privilege 15 password 0 cisco
enable password <xyx1123!!>
  1. Configure UTC time. Example:
ntp server 2.2.2.2 source GigabitEthernet0/0/5

or

clock set 18:00:00 1 Jan 2019
  1. Configure the Cisco NBAR configuration for Control and Provisioning of Wireless Access Points protocol

(CAPWAP) traffic. Example:

ip nbar classification tunneled-traffic capwap
ip nbar classification granularity fine-grain
  1. Configure Management interface to send Telemetry data to DNAC
interface GigabitEthernet0/0/5
description ***** Management port to talk to DNAC ********
ip address <Management IP address of appliance> <Subnet mask>
  1. Configure the default route. Example:
ip route 0.0.0.0 0.0.0.0 <Gateway IP address>
  1. Configure the DNS server. Example:
ip name-server <IP address of DNS server>
  1. Cisco Traffic Telemetry appliance port initial port configuration before managed by DNAC.

Example:

Configure Telemetry Box Network Settings

int Te0/0
description ****** Ten Gig SPAN ****

int Te0/1
description ****Ten Gig SPAN from second distribution***

interface GigabitEthernet0/0/0
description ***** Span Traffic ********

interface GigabitEthernet0/0/1
description ***** Span Traffic ********

interface GigabitEthernet0/0/2
description ***** Span Traffic ********

interface GigabitEthernet0/0/3
description ***** Span Traffic ********

interface GigabitEthernet0/0/4
description ***** Span traffic ********

interface GigabitEthernet0/0/5
description ***** Management port to talk to DNAC ********
ip address <x.x.x.x> <y.y.y.0>

int gi0
description ***Port used as a backup Management for Router***

Appendix 2: ML data collection configuration checklist

  • Verify presence of DNAC packages (without them you won’t see anything of the things you show afterwards)
    AI Endpoint Analytics, Application Visibility Service, AI Network Analytics.

  • NetFlow configuration:

  • Enable NetFlow under network design, telemetry, pointing to DNAC or to an external netflow collector (Stealthwatch UDP director)
  • In case of pre-existing config (e.g. netflow configuration for Stealthwatch) the config may need to be manually pushed/reviewed.
  • Verify the correct flow monitor is assigned to each of the access ports.

  • ISE config (as in the document)
    • Add to check the profiler config for Probe Endpoint Data export / pxGrid as profiler probe source

  • Verify network devices in DNAC inventory (This should be the same network device between DNAC and ISE, use the NAS (Network Access Server) IP address to add to DNAC inventory.
  • Verify ISE integration in DNAC (on System 360) and pxGrid turned on.
  • Verify if endpoints authenticated by ISE (either with dot1x or MAB).
  • ISE profiler config (as in the document)
  • Devices are CBAR ready and provisioned (as in the document)
  • NetFlow config (provisioning from DNAC, record template details, verify on the device, check the pre-existing config and add/change the flow records based on the configuration provided)
  • Check if Endpoints shows up in Assurance in Client 360 and Endpoint Analytics UI.
  • Confirm logical class (Verify in EA if the MAC address corresponds to IP Phone/Printer and is having the Endpoint Type label).

Glossary:

EA: Cisco AI Endpoint Analytics: An application running on Cisco DNAC that provides Endpoint visibility and collects asset information from various sources.

DNAC: Cisco DNA Controller: A platform/controller that provides Automation, Assurance and Policy to Enterprise in managing their network.

ISE: Identity Service Engine, a software appliance that provides AAA services, verifies compliance and enforces network access and access control policies.

pxGrid: Platform Exchange Grid Service that exchanges endpoint information between ISE and other Cisco and non-Cisco products.

AAA: Authentication, Authorization and Accounting, that refers to how endpoints and users are authenticated and authorized in the network typically using RADIUS protocol.

SDAVC: Software Defined Application Visibility Control is a service that runs on Cisco DNA Center that gathers application and endpoint information from network used for application recognition and endpoint visibility.

NBAR: Network Based Application Recognition is the sensor engine embedded in the network device that does deep packet inspection of Layer 7 protocols as well as information from Layer 3 and Layer 4 for detecting applications and endpoints in the network.

CBAR: Controller Based Application Recognition is the controller side component in DNAC that enables NBAR in network device.

SPAN: Refers to a connection where a copy of L2 traffic is mirrored from one or more VLANs, ports to a destination.

AI: Artificial Intelligence refers to use of the AI service on DNAC and in the cloud to provide intelligence for endpoint analytics along with crowdsourcing.

ML: Machine Learning refers to algorithm/s used for clustering unknown endpoints for admins to label them that can be used for crowdsourcing.

IOT: Internet of Things are endpoints in an enterprise that has specific purpose and not general purpose endpoints(mobile devices, laptops, printers etc.).

DNS: Domain Name Service, that provides name services to map IP address to a name that is used by applications, products, services to reach a certain destination.(e.g.: Email service, application service, servers, endpoints)